Redirection

Redirection or re-routing involves gaining access to a router to change the route table entries or spoofing the identity of routers or hosts so traffic is directed to a compromised device.

  • In port redirection, an adversary uses a machine with access to the internal network to pass traffic through a port on the firewall or access control list (ACL). The port in question normally denies traffic, but with redirection she can bypass security measures and open a tunnel for communication.
  • In DNS redirection an adversary subverts the resolution of Domain Name System (DNS) queries. This can be achieved by malware that overrides a user device's TCP/IP configuration to point at a rogue DNS server under the control of an adversary, or through modifying the behaviour of a trusted DNS server or router.
    • DNS redirection is used to spread malware and is used in phishing, pharming and MitM attacks.
    • Many Internet Service Providers (ISPs) use DNS redirection to take over a user’s DNS requests for the collection of statistics and returning ads when users access an unknown domain. They do this by hijacking the NXDOMAIN response.
    • Some governments use DNS hijacking for censorship, redirecting users to government-authorised sites.
  • In a virtual confusion attack an adversary can take an HTTPS connection meant for a virtual host that shares TLS credentials with another virtual host, either on the same or on different web servers, and redirect it to the other. The TLS connection succeeds because of the shared TLS credentials; then, because of virtual host fallback, the request is processed b ya virtual host that was never intended to serve contents for the domain in the Host header. The adversary can subvert the browser's intended origin of the request, with various exploitable results.
    • A network attacker can always break the same-origin policy between different ports on the same domain, by redirecting connections from one port to another.
    • If two servers serving two independent domains share a common certificate (covering both domains), or a cached TLS session, the network attacker can cause pages from one server to be loaded under the other’s origin.

Users

  • Use an encrypted VPN channel.
  • If your ISP is hijacking your DNS, use a free, alternative DNS service, and be aware that a 'free' service might have hidden privacy downsides.

Port redirection

  • Port redirection attacks are a form of trust exploitation attack. It uses a compromised host to pass the traffic that should not be passed but dropped by a firewall. Drop it.

DNS redirection

  • DNS redirection attacks are also a form of trust exploitation attack.
  • When running a DNS server (not registered with ICANN and you do not control your own reverse zone) do not let the DNS servers answer Internet DNS queries (port 53)
  • If Internet queries on a local DNS do need to be answered, consider RNDC encryption, stub zones (for commonly accessed domains, or domains that could easily be compromised), and decreasing the TTL values (for example to 15 minutes).
  • Create and maintain PTR zones. Use the available validation check of the PTR (or 'reverse') records: if the 'authoritative' name server provides an answer different from what is locally resolved, the DNS packet is marked as invalid (most TCP/IP stacks will notice that and not handle such marked traffic).
  • Forward only to verified DNS servers. Do not forward to Root Servers.
  • Block DHCP in the firewall except from the legitimate DHCP server on the local network.

Virtual confusion

  • Prevent virtual host fallback in HTTPS implementations.
  • Do not use Multi-Domain certificates. Having the same certificate for the www prefix can already lead to confusion attacks, but in most cases, both are be served by the same virtual host.
  • Do not share TLS cache.
  • A network attacker can impersonate users on websites that use single sign-on protocols based on token redirection to a secure registered origin, if this origin can be confused for another which contains redirections to any plain HTTP URL.